Baroness Kidron: My Lords, many noble Lords will know that my particular interests, clearly stated on the register, are concerned with making the digital world fit for children and young people, and so the greater part of my comments concern that. However, I wanted to say at the outset that dealing with this Bill without having had the opportunity to scrutinise the GDPR or understand the ambition and scope of the Government’s digital charter, their internet safety strategy or even some of the details that we still await on the Digital Economy Act made my head hurt also.
I start with the age of consent. Like others, I am concerned that the age of 13 was a decision reached not on the advice of child development experts, child campaigners or parents. Perhaps most importantly of all, the decision lacks the voice of young people. They are key players in this: the early adopters of emerging technologies, the first to spot its problems and, so very often, the last to be consulted or, indeed, not consulted at all. Also, like others, I was bewildered when I saw Clause 184. Are Scottish children especially mature or are their southern counterparts universally less so? More importantly, it seems that we have to comply with the GDPR, except when we do not.
As the right reverend Prelate has outlined, the age of 13 is really an age of convenience. We have simply chosen to align UK standards with COPPA, a piece of US legislation that its own authors once described to me as a “terrible compromise”, and which dates from 2000, when the notion of every child carrying a smartphone with the processing power of “Apollo 11” and consulting it every few minutes, hundreds of times day and night, was not even in our imagination, let alone our reality.
Before considering whether 13 is the right age, we should understand what plans the Government have to require tech companies to make any provisions for those aged 13 to 17, or whether it is the considered opinion of the UK Government that in the digital environment a 13 year-old is a de facto adult. Will the Government require tech companies to publish data risk assessments setting out how children are likely to engage with their service at different ages and the steps they have taken to support them, including transparent reporting data? Are we to have minimum design standards in parts of the digital environment that children frequent, and that includes those places that they are not supposed to be? Will the ICO have powers to enforce against ISS providers which do not take steps to prevent very young children accessing services designed for people twice their age? My understanding is that age compliance will continue to be monitored and enforced by the ISS companies themselves.
As Ofcom pointed out, in 2016 in the UK, 21% of 10 year-olds, 43% of 11 year-olds and half of all 12 year-olds had a social media profile, in spite of COPPA. Are the Government planning to adequately  resource and train all front-line workers with children, teachers, parents and children in a programme of digital literacy as the House of Lords Communications Committee called for, and in doing so inform all concerned—those 13 and under and those between the ages of 13 and 18—on the impact for young people of inhabiting what is increasingly a commercial environment? Until these questions are answered positively, the argument for a hard age of consent seems weak.
In contrast, in its current code of practice on processing personal data online, the ICO recommends a nuanced approach, advising would-be data collectors that:
“Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly”.
The current system places the obligation on the data controller to consider the context of the child user, and requires them to frame and direct the request appropriately. It underpins what we know about childhood: that it is a journey from dependence to autonomy, from infancy to maturity. Different ages require different privileges and levels of support.
If being GDPR compliant requires a hard age limit, how do we intend to verify the age of the child in any meaningful way without, perversely, collecting more data from children than we do from adults? Given that the age of consent is to vary from country to country—16 in the Netherlands, Germany and Hungary; 14 in Austria—data controllers will also need to know the location of a child so that the right rules can be applied. Arguably, that creates more risk for children, but definitely it will create more data.
In all of this we must acknowledge a child’s right to access the digital world knowledgeably, creatively and fearlessly. Excluding children is not the answer, but providing a digital environment fit for them to flourish in must be. There is not enough in this Bill to fundamentally realign young people’s relationship with tech companies when it comes to their data.
Much like the noble Lord, Lord Knight, my view is that we have got this all wrong. In the future, the user will be the owner of their own data, with our preferences attached to our individual online identity. Companies and services will sign up to our bespoke terms and conditions, which will encompass our interests and tolerances, rather than the other way round. If that sounds a little far-fetched, I refer noble Lords to the IEEE, where this proposal is laid out in considerable detail. For those who do not know the IEEE, it is the pre-eminent global organisation of the electrical engineering professions.
While this rather better option is not before us today, it must inform our understanding that the Bill is effectively supporting an uncomfortable status quo. Challenging the status quo means putting children first, for example by putting the code of practice promised in the Digital Economy Act on a statutory footing so that it is enforceable; by imposing minimum design standards where the end-user is likely or may be a child; by publishing guidance to the tech companies on privacy settings, tracking, GPS and so forth; by demanding that they meet the rights of young people in the digital environment; and by a much tougher, altogether more appropriate, regime for children’s data.
All that could and should be achieved by May, because it comes down to the small print and the culture of a few very powerful businesses for which our children are no match. The GDPR offers warm words on consumer rights, automated profiling and data minimisation, but with terms and conditions as long as “Hamlet”, it is disingenuous to believe that plain English or any number of tick boxes for informed or specific consent will materially protect young people from the real-life consequences of data harvesting, which are intrusive, especially when we have left the data poachers in charge of the rules of engagement.
We could do better—a lot better. I agree wholeheartedly with other noble Lords who are looking for structures and principles that will serve us into the future. Those principles should not only serve us in terms of other EU member states but be bold enough to give us a voice in Silicon Valley. In the meantime, the Government can and should enact the derogation under article 80(2) and in the case of complainants under the age of 18, it should not only be a right but a requirement. We cannot endorse a system where we create poster children on front-line battles with tech companies. We are told that this Bill is about data protection for individuals—a Bill that favours users over business and children over the bottom line. But the absence of Article 8 of the European Charter of Fundamental Rights is an inexcusable omission. The Bill in front of us is simply not robust enough to replace Article 8. I call on the Government to insert that crucial principle into UK legislation. It must be wrong for our post-Brexit legislation to be deliberately absent of underlying principles. It is simply not adequate.
I had a laundry list of issues to bring to Committee, but I think I will overlook them. During the debate, a couple of noble Lords asked whether it was possible to regulate the internet. We should acknowledge that the GDPR shows that it can be done, kicking and screaming. It is in itself a victory for a legislative body—the EU. My understanding is that it will set a new benchmark for data-processing standards and will be adopted worldwide to achieve a harmonised global framework. As imperfect as it is, it proves that the digital environment, which is entirely man and woman-made and entirely privately owned, is not an impossibility but a battle of societal need versus corporate will.
As I said at the beginning, my central concern is children. A child is a child until they reach maturity, not until they reach for their smart phone. Until Mark Zuckerberg, Sergey Brin and Larry Page, Tim Cook, Jack Dorsey and the rest, with all their resources and creativity, proactively design a digital environment that encompasses the needs of children and refers to the concept of childhood, I am afraid that it falls to us to insist. The Bill as it stands, even in conjunction with the GDPR, is not insistent enough, which I hope as we follow its passage is something that we can address together.